b"                                                          United States Department of State\n                                                          and the Broadcasting Board of Governors\n\n                                                          Office of Insp ector General\n\n\nSENSITIVE BUT UNC LASSIFIED                                      JAN     7 1013\nMEMORANDUM\n\nTO:            M - Patrick F. Kennedy\n\nFROM :         OIG - Harold W. Geisel, Deputy Inspector    Gener~\nSUBJECT:       Review of Overseas Security Policy Board Exceptions and Secure Embassy\n               Construction and Counterterrori sm Act of 1999 Waivers, ISP ~I-13-06\n\nSummary\n\n        The Office of Inspector General (010) conducted a review of Overseas Security Policy\nBoard (OSP8) exceptions and Secure Embassy Construction and Counterterrorism Act of 1999\n(SECCA) waivers granted by the Bureau of Diplomatic Security CDS) to overseas posts. The DS\nCountermeasures Directorate, Office of Physical Security Programs CDS/CIPSP) does not\nadequately track exceptions to asps physical security standards and SECCA waivers of\ncolocation and setback. OIG recommends that DS impl ement procedures to track and report the\nstatus of and compl iance with exceptions and waivers.\n\nScope and Methodology\n\n        01 0 conducted reviews of physical security files and conditions at 27 overseas posts as\nwell as files maintained by DS/CIPSP. 010 inspectors com pared records maintained by DS with\nrecords maintained by overseas posts to determine whether posts had compl ied with stipulations\nunder which exceptions and waivers had been granted. 010 also noted conditions that required\nan excepti on or waiver for which none had been filed.\n\n         As stated in 12 Foreign Affairs Handbook (F AH)-6 H-5 I I. 7 h. (I), DS is responsible for\nmonitoring compliance with Department of State security standards. DS maintains a database of\neach post's compli ance with physical security standards and the status of requests for exceptions\nand waivers. As specified in SECCA and 12 Foreign Affairs Man ual (F AM) 315.1 , only the\nSecretary, together with the head of each agency employin g personnel that would not be located\nat the site, can waive the requirements for colocation and setback with respect to chanceries and\nconsulates. For buildings other than chanceries or consulates within the meaning of the statute,\nthe Secretary has delegated authority for colocation and setback to the Assistant Secretary for\nDS, who is also authori zed to grant exceptions to all aSPs security standards.\n\n        Exceptions to a security standard may be requested by the post, an agency at post, or the\nDepartment of State. Procedures for requesting and processing waivers and exceptions are\ndescribed in 12 F AH-5 B-2 I 0, Exception Request Procedures, and in 12 FAM 315, Waivers and\nExceptions. As a condition of granting an exception or waiver, the Department of State may\nstipulate steps to mitigate vulnerabilities.\n                              SENS ITIVE BUT UNCLASS IF IED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n\nBackground and Findings\n\n        Although posts are not required to maintain exception and waiver records. keeping an\nactive file is imponant. When a new regional security officer arrives at post, accurate records\ncan help ensure that outstanding exception and waiver requests are followed up, that mitigating\nsteps arc understood and completed, and that restrictions, such as building use, are enforced.\n\n         Despite DIG's initial concerns, only a small number cfposts had not complied with\nstipulations in approval documents; most were minor. OIG inspectors found that about one-third\nof waivers and exceptions records at overseas posts did not match those in DS/C/PSP tiles. In 15\ncases, regional securi ty officers were unable to locate an exception or waiver approval or denial\nthat was on file with OS/CIPSP. In addition, several posts had active exceptions on fil e that\ncould not be found in OS/C/PSP files.\n\n        Inspectors also found condit ions of noncompliance with security standards for which\nposts had not sought exceptions or waivers_ Posts had either failed to submit requests for\nexceptions or waivers I or the requests did not accurately describe conditions of noncompliance.\nThe most common example was the use of warehouse space for offices. (Office space must meet\ngreater physical security standards than warehouse space.)\n\n        OS does not regularly review waiver approvals to determine whether they are still active.\nAs of August 2011, OS/C/PSP had more than 1,000 exceptions and waivers on file dating back\nto 1987. Inspectors found waivers for facilities that are no longer leased by the U.S. Govern ment\nor no longer exist. OS does not have fonnal monitoring procedures to detennine whether posts\nare requesting exceptions and waivers for all conditions that do not meet security standards and\ncomplying with stipulations in exception and waiver approvals.\n\nRecommendation 1: The Bureau ofOip lomatic Security should requ ire overseas posts to\nsubmit an annual written certification that exceptions and waivers have been requested for all\ncircumstances where an Overseas Security Policy Board security standard Calmot be met and\nprovide a statement of assurance signed by the chief of mission confimling that the post is\nadhering to stipulations in existing waivers and exceptions. (Action: OS)\n\nRecommendation 2: The Bureau of Diplomatic Security should update annually its exception\nand waiver files and identify files that are inactive or obsolete. (Action: OS)\n\n        You should advise us on actions taken or planned on the recommendations wi thin 30\ndays of the date of this memorandum. Actions taken or planned arc subject to OIG followup and\nreporting. (b)(2)(b)(6)\n\n\n\nEnclosures:\n       Compliance Sheet\n       GIG Resolution Procedures\n\nI   As outlined in 12 FAH-5 H-200 & 300.\n                                                 2\n                                    SENS ITIVE BUT UNCLA SSIFIED\n\x0c"